Android Question Manifest problem with exported components followed by a security investigation

walter76

New Member
Licensed User
Hello everybody,
some apps of mine have been reviewed by a security investigation.

In the resulting report result that we have to 'Restrict access to exported components with appropriate permissions (xml)'

In an other more detailed section of the report the quote is 'Implement permissions on this exported component.' and they refer to the manifest I suppose.

Some line refer to activities some other to Firebase services.

While at least one activity is based by Erel's example at https://www.b4x.com/android/forum/threads/sharing-files-from-your-app-with-file-provider.70458/
and probably I could manage to implement some permission (and if someone could point me to the right path I would be grateful)
I have a bigger problem with the Firebase services.

In the Manifest I added:

B4X:
CreateResourceFromFile(Macro, FirebaseAnalytics.FirebaseAnalytics)
CreateResourceFromFile(Macro, FirebaseNotifications.FirebaseNotifications)
CreateResourceFromFile(Macro, FirebaseAnalytics.GooglePlayBase)
CreateResourceFromFile(Macro, FirebaseAnalytics.Firebase)

but being these macros they expand in the resulting Manifest.xml with some sections having the attribute

B4X:
exported="true"

as in (for example):

B4X:
<service
          android:name="com.google.firebase.messaging.FirebaseMessagingService"
          android:exported="true">
          <intent-filter android:priority="-500">
          <action android:name="com.google.firebase.MESSAGING_EVENT" />
          </intent-filter>
          </service>
           <service android:name="anywheresoftware.b4a.objects.FirebaseNotificationsService">
             <intent-filter>
          <action android:name="com.google.firebase.MESSAGING_EVENT"/>
             </intent-filter>
</service>

Then my questions are:
Can I control these attiributes somehow using the Macros? I think I cannot.

Should I write the Manifest by hand using the Editor facilities (AddManifestText, CreateResource,AddActivityText ...)?

Can I put exported to false in those Firebase services or I should study which permission are fine for everyone?

Is there an example of syntax for the Manifest editor for Firebase prior to the Macros I used to have a starting point?

I apologize for my English.
Thanks in advance.
 

walter76

New Member
Licensed User
Thanks Erel, we followed your tip and the security reviewers stopped bothering us :). Many of the reported security holes are however false positive of some heuristic alghorithm of the software scanner used. Thanks again.
 
Upvote 0
Top